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O Abstract. A fc-query locally decodable code (LDC) C : S n — > 

F N encodes each message x into a codeword C(x) such that each 
symbol of x can be probabilistically recovered by querying only k 
' coordinates of C(x), even after a constant fraction of the coordi- 

nates have been corrupted. Yekhanin (2008) constructed a 3-query 
LDC of subexponential length, iV = exp(exp(0(log nj log log n))), un- 
der the assumption that there are infinitely many Mersenne primes. 
Efremenko (2009) constructed a 3-query LDC of length N2 = 
^ . exp(exp(0(-v/log n log log n))) with no assumption, and a 2 r -query LDC 

tS- \ of length N r = exp(exp(0(^/log re(log log nY" 1 ))), for every integer 

r > 2. Itoh and Suzuki (2010) gave a composition method in Efre- 
menko's framework and constructed a 3 • 2 r ~ 2 -query LDC of length N r , 
for every integer r > 4, which improved the query complexity of Efre- 
menko's LDC of the same length by a factor of 3/4. The main ingredi- 
ent of Efremenko's construction is the Grolmusz construction for super- 
polynomial size set-systems with restricted intersections, over Z m , where 
m possesses a certain "good" algebraic property (related to the "alge- 
^ ■ braic niceness" property of Yekhanin (2008)). Efremenko constructed 

a 3-query LDC based on m = 511 and left as an open problem to find 
other numbers that offer the same property for LDC constructions. 
In this paper, we develop the algebraic theory behind the constructions 
of Yekhanin (2008) and Efremenko (2009), in an attempt to understand 
the "algebraic niceness" phenomenon in Z m . We show that every integer 
m = pq = 2* — 1, where p, q and t are prime, possesses the same good 
algebraic property as m = 511 that allows savings in query complexity. 
We identify 50 numbers of this form by computer search, which together 
with 511, are then applied to gain improvements on query complexity via 
Itoh and Suzuki's composition method. More precisely, we construct a 
3r r / 2 l_q uei y LDC for every positive integer r < 104 and a |_(3/4) 51 • 2 r J- 
query LDC for every integer r > 104, both of length iY r , improving the 
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2 r queries used by Efremenko (2009) and 3 • 2 r 2 queries used by Itoh 
and Suzuki (2010). 

We also obtain new efficient private information retrieval (PIR) schemes 
from the new query-efficient LDCs. 

Keywords. Locally decodable codes, Mersenne numbers, private infor- 
mation retrieval 

Subject classification. 20C05, 94B60 

1. Introduction 

A classical error- correcting code C : S n — > T N allows one to encode a message 
x into a codeword C(x) such that x can be recovered even if C(x) gets cor- 
rupted in a number of coordinates. However, to recover even a small portion 
of the message x, one has to consider all or most of the coordinates of the 
received (possibly corrupted) codeword. Katz & Trevisan (2000) considered 
error-correcting codes where each symbol of the message can be probabilisti- 
cally recovered by looking at a limited number of coordinates of a corrupted 
encoding. Such codes are known as locally decodable codes (LDCs). Informally, 
a (k, 5, e)-LDC C : S n — >■ T N encodes a message x into a codeword C(x) such 
that each symbol Xi of the message can be recovered with probability at least 
1 — e, by a probabilistic decoding algorithm that makes at most k queries, 
even if the codeword is corrupted in up to 5N locations. LDCs have many 
applications in cryptography and complexity theory (see, for example, Gasarch 
(2004); Trevisan (2004)), and have attracted a considerable amount of attention 
(Deshpande et al. 2002; Dvir & Shpilka 2005; Efremenko 2009; Goldreich et al. 
2006; Gopalan 2009; Itoh & Suzuki 2010; Kedlaya & Yekhanin 2008; Kerenidis 
& de Wolf 2004; Obata 2002; Raghavendra 2007; Shiowattana & Lokam 2006; 
Wehner & de Wolf 2005; Woodruff 2007; Yekhanin 2008) since their formal 
introduction by Katz & Trevisan (2000). 

For constant 5 and e, the efficiency of a (A;, 5, e)-LDC C : S n — > T N is 
measured by its length N and query complexity k. Ideally, we want both iV 
and k to be as small as possible. Katz & Trevisan (2000) proved that there 
do not exist families of 1-query LDCs. Goldreich et al. (2006) obtained an 
exponential lower bound of exp(f2(n)) on the length of 2-query linear LDCs. 
Kerenidis & de Wolf (2004) showed that the optimal length of any 2-query 
LDCs is exp(0(n)) via a quantum argument. For a /c-query (k > 3) LDC, 
Woodruff (2007) obtained a superlinear lower bound of f2(n( fc+1 )/( fe_1 )/ logn) 
on its length. Other lower bounds have been obtained by Deshpande et al. 
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(2002), Obata (2002), Dvir & Shpilka (2005), Wehner & de Wolf (2005), and 
Shiowattana & Lokam (2006). 

It has been conjectured for a long time that the length iV of any constant- 
query LDC should have an exponential dependence on its message length n. 
This conjecture was disproved by Yekhanin (2008), who constructed a 3-query 
LDC of length exp(exp(0(logra/loglog?7,))) under the assumption that there 
are infinitely many Mersenne primes (primes of the form M t = 2* — 1, where 
t is prime). Subsequently, Yekhanin's construction was nicely reformulated by 
Raghavendra (2007) using group homomorphism. Inspired by this, Efremenko 
(2009) generalized Yekhanin's construction and established a framework for 
constructing LDCs in which the above assumption on Mersenne primes is no 
longer necessary. Efremenko (2009) constructed a /c r -query (k r < 2 r ) LDC of 
length N r = exp(exp(0(^/logn(log logn) r_1 ))) for every integer r > 2, and in 
particular, a 3-query (/c 2 = 3) LDC of length N 2 = exp (exp ( O ( \/log n log log n ) ) ) 
for r = 2. The main ingredient of Efremenko's construction is a construction 
of Grolmusz (2000) for super-polynomial size set-systems with restricted inter- 
sections. Each of these set-systems is over a certain composite number, which 
has significant impact on the query complexity (the value of k r ) of the resulting 
LDC. Efremenko (2009) showed that the composite number 511 can result in 
a 3-query LDC of length N 2 and left as an open problem to find other suitable 
composite numbers. 

Recently, Itoh & Suzuki (2010) developed a composition method in Efre- 
menko's framework. This method allows one to compose, in an appropriate 
way, Efremenko's /c r -query (k r < 2 r ) LDC of length N r and fc^-query (fc; < 2 l ) 
LDC of length Ni to obtain a /c-query LDC of length N r+ i such that k < k r ki. 
For every integer r > 4, taking Efremenko's 3-query LDC and £v_2-query LDC 
as building blocks, the composition method yields a fc-query LDC of length N r 
in which k < 3 • 2 r ~ 2 , improving the query complexity of Efremenko's LDC of 
the same length by a factor of 3/4. We stress that this improvement is due to 
the first building block, that is, the 3-query LDC. Hence, it is of great interest 
to obtain as many such 3-query LDCs as possible, or equivalently, as many new 
composite numbers as possible which can result in 3-query LDCs of length N 2 
in Efremenko's construction. 

1.1. Our Results. In this paper we study the algebraic properties of good 
composite numbers which yield 3-query LDCs in Efremenko's construction. 
We give a characterization of such composite numbers and show that every 
Mersenne number which is a product of two primes is good. Consequently, 
we obtain a number of good composite numbers. These new good numbers, 
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together with 511, are then applied to achieve improvements on the query 
complexity in Efremenko's framework. 

Let M 2 be the set of composite numbers, each of which is the product of 
two distinct odd primes and good (i.e., can yield a 3-query LDC of length 
in Efremenko's construction). We characterize numbers in M2, and show that 
the subset of Mersenne numbers (numbers of the form M t = 2* — 1, where t is 
prime) 

M 2] Mcrscnnc = {m : m = 2* — 1 = pq, where p, q and t are primes} 

is contained in M2. Note that the number 511 = 2 9 — 1 = 7 x 73, suggested 
by Efremenko (2009), is in M2 but not in M2, Mersenne- On the other hand, 
the number 15 = 3 x 5, the smallest possible candidate for M 2 , is not in M 2 , 
checked via exhaustive search by Itoh & Suzuki (2010). We identify 50 numbers 
in M2 i Mersenne and hence 50 new numbers in M2, which answers open problems 
raised by Efremenko (2009) and Itoh & Suzuki (2010). Furthermore, we show 
that: 

(a) For every integer r, 1 < r < 103, there is a fc-query linear LDC of length 
N r for which 

k < I ( v ^^ r, ^ r 1S even 

~ [8- (VS) r - 3 , if r is odd. 

(b) For every integer r > 104, there is a fc-query linear LDC of length N r for 
which k < (3/4) 51 • T. 

(c) If |M2,Merscnne| = 00, then for every integer r > 1, there is a /c-query linear 
LDC of length N r for which k is the same as that in (a). 

The notion of LDCs is closely related to the notion of information-theoretic 
private information retrieval (PIR) schemes. It is well known that LDCs with 
perfectly smooth decoders imply PIR schemes, and there is a generic trans- 
formation from LDCs to PIR schemes (Katz & Trevisan 2000). As with the 
LDCs of Efremenko (2009) and Itoh & Suzuki (2010), the query-efficient LDCs 
obtained in this paper also have perfectly smooth decoders 1 . This in turn 
gives new PIR schemes with smaller communication complexity. For instance, 
the LDCs from (a) above imply PIR schemes with communication complexity 
exp(0(^/logn(log logn) r-1 )) for 3 r ^ 2 servers. Compared with the best known 

1 Note that the decoders for the LDCs of Yekhanin (2008) are not smooth. 
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PIR schemes of Itoh & Suzuki (2010) with the same communication complex- 
ity for 3 • 2 r ~ 2 servers, where r < 104 is even, our new schemes require fewer 
servers. 

We are able to identify only 50 numbers in M 2i Merscnne by computer search 
with the largest one being M 7331 = 2 7331 — 1. We believe that the search 
for more numbers in M 2jMcrsenne is of independent interest. In particular, it 
is an interesting open problem to determine how many numbers M 2 Mcrscnnc 
contains. Compared with Mersenne primes, it seems reasonable to conjecture 

that |M 2i Merscnnc| = OO. 

1.2. Organization. This paper is organized as follows. In Section 2, we 
review Efremenko's framework and the composition method of Itoh & Suzuki 
(2010). In Section 3, we prove that all Mersenne numbers which are products 
of two primes belong to M 2 and introduce the family M 2jMersenne . We also 
characterize the numbers in M 2 and discuss how to prove that a given number 
is not in M 2 . In Section 4, we obtain new query-efficient LDCs using the family 
M 2j Mersenne- This also gives new efficient PIR schemes with fewer servers. We 
conclude the paper in Section 5. 

2. Preliminaries 

We briefly review Efremenko's framework (Efremenko 2009) and the composi- 
tion method of Itoh & Suzuki (2010). 

Let m and h be positive integers. The ring Z/mZ is denoted Z m . The set 
{1,2, .. . , m} is denoted [m]. The mod m inner product of two vectors x = 
(xt, ...,x h ),y = (y u ...,y h )e Z^ is defined to be (x, y) m = Y!l=i x^ mod m. 
The Hamming distance between x and y is denoted dn{x,y). 

Definition 2.1 (Locally Decodable Code). Let k, n and N be positive inte- 
gers, and < 5, e < 1. A code C : S n — >• T N is said to be (k, S, e) -locally 
decodable if there is a probabilistic decoding algorithm D such that: 

(i) For every x G S n , i G [n], and y G T N such that dn{y, C(x)) < 5N, we 
have Pr['D y (i) = Xj\ > 1 — e, where D v means that T> makes oracle access 
to y, and the probability is taken over the internal coin tosses of T>. 

(ii) In every invocation, D makes at most k queries to y. 

The algorithm D is called a (k, S, e)-local decoding algorithm for C. Param- 
eters k and N are called the query complexity and length of C, respectively. 
The alphabets £ and T are often taken to be a finite field ¥ q , where q is a prime 
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power. A fc-query LDC C : F™ — > F^ is linear if it is a linear transformation, 
and nonadaptive if in every invocation, D makes all queries simultaneously. All 
the LDCs in this paper are linear and nonadaptive. 

2.1. Efremenko's Framework. Efremenko's framework (Efremenko 2009) 
for constructing LDCs is essentially a generalization of the work of Yekhanin 
(2008). Let m = V\Vi---Vr be a product of r > 2 distinct odd primes 
Pi,P2, ■ ■ ■ ,p r - Let S C Z m \ {0} and h be a positive integer. Let t be the 
multiplicative order of 2 G Zj^, and let 7 m G FJJt be a primitive m-th root of 
unity. The building blocks of Efremenko's framework for constructing LDCs 
include both an S- matching family and an S- decoding polynomial, which are 
defined as follows: 

Definition 2.2 (^-Matching Family). For S C Z m \ {0}, a family of vectors 
{iii}™ =1 C is called an S- matching family if: 

(i) (ui, Ui) m = 0, for i G [n]; and 

(ii) (ui,Uj) m G 5, for distinct i,j G [n]. 

Definition 2.3 (^-Decoding Polynomial). For 5 C Z m \ {0}, a polynomial 
P{X) G F 2 «[X] is called an S-decoding polynomial if: 

(i) P(YJ = 0, for s G S; and 

(n) P(l°J = P0) = I- 

For any subset 5 C Z m \ {0}, an S- matching family and the corresponding 
.S-decoding polynomial yield a linear LDC immediately. 

THEOREM 2.4 (Efremenko 2009). Let {wj}™ =1 C Z^ be an S-matching family 
and P(X) = a + aiX bl + . . . + a k _iX bk ~ 1 G F 2 «[X] bean S -decoding polynomial 
with k monomials. Then there is a k-query linear LDC C : F£ -»■ F^ witi 
encoding and decoding algorithms as in Fig. 2. 1 . 

Theorem 2.4 shows that for any S C Z m \ {0}, an ^-matching family of 
size n and an S'-decoding polynomial with k monomials yield a fc-query LDC 
which encodes each message of length n into a codeword of length m h . Once 
m and fa are fixed, the length N is inversely proportional to n. Hence, ideally, 
n should be large and k small. To have a large S-matching family, the set S is 
usually taken to be S m , the canonical set of m, which is defined as follows: 
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Encoding 

Let Cj G Fgi denote the j-th unit vector for j G [n]. The coordinates of a 
codeword C(x) are indexed by vectors in Z^, where x G F^t- The encoding 
algorithm works as follows: 

1. for j G [n] and v G Z* , C( ej ) v = 7 ^ >m ; 

2. for x = (xi, . . . , x n ) G Fgt, we have C(x) = Y^=i x j ' ^( e j)- 

Decoding 

To recover Xj from a possibly corrupted codeword ?/ G of any message x,we 

1. choose a vector v G Zj^ uniformly and query the coordinates 
Dv-i Vv+bim, ■ ■ ■ i l/f+fefc_i«i) 

2. output 'jm Ui ' v)m ■ (a ■ y v + a x ■ y 



Figure 2.1: Efremenko's Framework for Constructing LDCs 

Definition 2.5 (Canonical Set). Let m = P1P2 ■ ■ -p r be the product of r > 2 
distinct odd primes pi,P2, ■ ■ ■ ,Pr- The canonical set of m is defined to be 

S m = {s a G Z m : a G {0, l} r \ {0} and s a = a, t mod p i} for i G [r]} . 

For every integer r > 2, Efremenko (2009) proved that there exist an S m - 
matching family of superpolynomial size and an ^-decoding polynomial with 
at most 2 r monomials. 

Proposition 2.6 (Efremenko 2009). Let m = p x pi---p r be the product of 
r > 2 distinct odd primes pi,P2, ■ ■ ■ ,Pr- 

(i) There is a positive constant c, depending only on m, such that for every 
integer h > 0, there is an S m -matching family {uj}™ =1 C Z,^ of size 
n > exp (c(log/i) r /(loglog/i) r-1 ). 

(ii) There is an S m -decoding polynomial with at most 2 r monomials. 

Efremenko's linear LDCs of subexponential length now immediately follow 
from Theorem 2.4 and Proposition 2.6. 
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THEOREM 2.7 (Efremenko 2009). For every integer r > 2, there is a linear 
(k r , 5, k r 5)-LDC of length N r = exp (exp (O ( {/log n (log log n) r ~ 1 ) ) ) for which 
k r < 2 r . In particular, when r = 2, there is a linear (3,5,35)-LDC of length 
N 2 = exp (exp (O ( -\/log n log log n) ) ) . 

2.2. The Composition Method. For every integer r > 2, there is a fc r - 
query linear LDC of subexponential length N r by Theorem 2.7, but its query 
complexity k r is only upper bounded by 2 r . It is attractive to improve the 
query complexity. This is the motivation for Itoh and Suzuki's composition 
method. 

Let mi = p\p 2 . . .p r be the product of r distinct odd primes p 1 ,p 2 . . . ,p r 
and m 2 = q%q 2 ■ ■ ■ qi the product of / distinct odd primes q±,q 2 ■ ■ ■ ,qi, where 
r,l > 2. Suppose gcd(mi,m2) = 1. Let m = m\m 2 , and t%, t 2 , and t be the 
multiplicative orders of 2 in , Z^ 2 , and Zj^, respectively. By Theorem 2.4 
and Theorem 2.7, there are linear LDCs C r : F" 4l Fj;, Q : FJ 2 F^ 2 and 
C r+i : F" t fJ' +! of query complexities k r < 2 r , k { < 2\ and k r+l < 2 r+l , 
respectively. Let Pi{X) e F 2 ti[X] and P 2 {X) G F 2 t 2 [X] be the S'm.-decoding 
polynomial for C r and S'mj-decoding polynomial for Q, respectively. Let j mi , 
7 m2 , and 7 m be the primitive mi-th, r«2-th and m-th roots of unity used in 
the encoding algorithms of C r , Q, and C r+ i, respectively. It is not hard to 
see that there are integers fi and v such that j mi = 7^ m2 and 7 m2 = 7m mi - 
Itoh & Suzuki (2010) proved that P(X) = P^X^P^X^) e ¥ 2 t[X] is 
an S'm-decoding polynomial for C r+ ;. Obviously, P(X) contains at most k r k\ 
monomials. Hence, the composition theorem below follows. 

Theorem 2.8 (Itoh & Suzuki 2010). With notations as above, there is a k- 
query linear LDC C : F£ -+ Fj r+I for which k<k r k h 

Theorem 2.8 shows that Efremenko's LDC C r+ i essentially has a local de- 
coding algorithm which makes at most k r ki queries. The key idea of the com- 
position method is as follows: if we choose the building blocks C r and Q in 
such a way that either k r < 2 r or k\ < 2 l , then a local decoding algorithm 
for C r+ i which makes less than 2 r+l queries follows. For every integer r > 4, 
applying Theorem 2.8 to Efremenko's 3-query LDC C 2 (based on m x = 511) 
of length iV 2 and £v_ 2 -query LDC C r _ 2 (based on m 2 = q± . . . q r - 2 such that 
gcd(mi,m 2 ) = 1) of length N r _ 2 gives: 

Corollary 2.9 (Itoh & Suzuki 2010). For every integer r > 4, there is a k- 
query linear LDC C of length N r in which k < 3 • 2 r ~ 2 . 
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We note that Efremenko's 3-query linear LDC is crucial to the improvement 
provided by Corollary 2.9. The existence of this code depends on a carefully 
chosen good composite number mi = 511. It is natural to ask whether there 
are good composite numbers other than 511 based on which a 3-query linear 
LDC of length N 2 can be obtained from Efremenko's construction. 

For every positive integer r > 2, we denote by M r the set of integers, each of 
which is a product of r distinct odd primes and can yield a /c-query linear LDC 
of length N r for which k < 2 r in Efremenko's construction. Efremenko (2009) 
showed that 511 G M2 and built their 3-query LDC on this number. Itoh & 
Suzuki (2010) proved that 15 ^ M2 by exhaustive search. Both Efremenko 
(2009) and Itoh & Suzuki (2010) left as an open problem to find elements of 
M 2 other than 511. We provide an answer to this problem in the next section. 

We end this section with some algebra required to establish our results. 

2.3. Group Rings, Characters and Cyclotomic Cosets. Let G be a 

finite multiplicative abelian group. The group ring 

Z[G] = \j2 a 39 ]a 3 eZ \ 
IgeG J 

is a ring of formal sums, in which addition and multiplication are defined as 
follows: 

A + B = J2(a g + b 9 )9, 
gee 

A- B = ^2^a g b h gh, 

g£G h£G 

where A = Yl g eG a g9> B = J2geG^g9 e Z[G]. The following are standard 
notations: 

A^ = J2a 9 g\ Vjez, 

geG 

D = J2a, vdcg. 

g eD 

Let C be the field of complex numbers and C* its multiplicative group. 
Any group homomorphism x '■ G — > C* is called a character of G. If \G\ — n, 
then it has exactly n distinct characters. Let G be the set of all characters 
of G. Then G is a multiplicative group in which XiX2(g) = Xi(g)X2(g) fc> r ah 
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X11X2 G G,g G G. The identity Xo of G, called the principal character, maps 
every g G G to 1 G C*. For every \ G G, the order of x is defined to be the least 
positive integer / such that \ l — Xo- Every ^ £ G can be easily extended to 
7L\G\ linearly: x{A) = ^2 g eG a gX{9)- The following properties are well-known: 

1. If \G\ — n < oo, then for any x ^ G and g G G, x(flO" — 1- 

2. If X G G \ {xo}, then E, eG xid) = 0- 

3. = 3P), for every xGG,Ag Z[G]. 

Let p be a prime or prime power and m G Z + such that gcd(p, m) = 1. For 
every s G Z m , the cyclotomic coset of p modulo m containing s is defined to be 
the following set 

E s = {(sp l mod m) G Z m : / = 0, 1, . . .}, 

where s is called coset representative of We always suppose that s is smallest 
in E s . It is well-known that all distinct cyclotomic cosets of p modulo m form 
a partition of Z m . 

The interested reader is referred to Curtis & Reiner (2006); Mac Williams 
& Sloane (1977); McDonald (1974); Washington (1997) for more information. 

3. Mersenne Numbers which are Products of Two 

Primes Belong to M 2 

In this section, we answer the open problem raised by Efremenko (2009) and 
Itoh & Suzuki (2010) by proving that any Mersenne number which is the prod- 
uct of two primes belongs to M 2 . This result allows us to obtain a family of 
numbers in M 2 . Furthermore, we also give characterizations of numbers in M 2 , 
which turn out to be helpful for deciding whether a given number is in M 2 . 

Let m = pq be the product of two distinct odd primes p and q. Let t be 
the multiplicative order of 2 in Z^, and let 7 m G F^t be a primitive m-th root 
of unity. Let S m = {s n = 1, s i, s 10 } be the canonical set of m. Then the set 
of S'm-decoding polynomials is 

J = {f(X) G F 2t [X] : f( lm ) = /( 7 r ) = = and /(l) = 1} . 

By Lagrange interpolation, there exists / G 5F that contains at most four mono- 
mials. On the other hand, we have the following proposition. 
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Proposition 3.1. Let m = pq be the product of two distinct odd primes. 
Then any S m -decoding polynomial contains at least three monomials. 

Proof. Suppose f(X) = ax u + bx v G 5F is an S^-decoding polynomial with 
less than three monomials. Then 07^ + 67^ = cry^ 01 +67^ 01 = cry™ 10 +b^ 10 = 
and a + b = 1. It follows that aj^ v = a^t~ v)so1 = a^~ v)sw = 1 + a. 
Obviously, a 7^ and therefore r ) x ^ v = 7™ V ^ SQ1 = 7m vS)Sl ° , This implies that 
m\ gcd((w - v)(s 01 - 1), (u-v)(s 10 - 1), (u-v)(s 10 - s i)). Since gcd(m, s w - 
s i) = 1, we have m\(u — v). Hence, a = a r f^ v = a^m ^ SQ1 = cr/m ^ Sl ° = 1 + a, 
which is a contradiction. □ 

Proposition 3.6 shows that for m = pq, the best we can expect is to have 
an S'm-decoding polynomial with exactly three monomials. Let 

S = {g(X) G ¥ 2t [X] : g( lm ) = g(r^) = g{l s ™) = and g(l) ^ 0} . 

Then we have the following result. 

Proposition 3.2. There is an S m -decoding polynomial f G $ with three 
monomials if and only if there is a polynomial g G 9 with three monomials. 

Proof. The forward implication is trivial, since 5F C 3- Let g G S have 
exactly three monomials. Then f(X) = g(X)/g(l) G SF contains the same 
number of monomials as g{X), namely three. □ 

By Proposition 3.2, finding an S^-decoding polynomial with exactly three 
monomials is equivalent to finding a polynomial g(X) G S with exactly three 
monomials. Let g{X) G S be such a polynomial. Since S is closed under mul- 
tiplication by elements of F 2 t \ {0}, we may suppose, without loss of generality, 
that g(X) = X u + aX v + b G ¥ 2 t [X] for some distinct u,v G Z m \ {0} (only 
g(l), gijm), 9dm 1 ) and 9(lm°) are concerned) and a,b G F 2 * \ {0}. By the 
definition of S, the following conditions hold simultaneously: 





r lm 


« / ' us 0i 
" m 


1 


(3.3) | 


I m 


1 m 






\ / m 


rf 
1 III 






(3.4) l + a + 6^0. 

Conditions (3.3) and (3.4) shed much light on how to determine elements of 
M 2 . A computer search based on these conditions shows that the Mersenne 
numbers M u = 2 11 - 1 = 2047 and M 23 = 2 23 - 1 = 8388607 both belong to 
M 2 (see Table 3.1 for the corresponding S^-decoding polynomials). 
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1 = 8388607 



M 23 

F 2 23 =F 2 [ 7 ]/( 7 23 + 7 5 + l 
{an = Moi = 5711393,sio = 2677215} 

1 



6526329^3526 _|_ ^,7574532^3363 _|_ ^,2861754 



Table 3.1: New elements m determined to be in 



Theorem 2.8 shows that the more numbers in M 2 we find, the more im- 
provements we get on the query complexity within Efremenko's framework. 
This motivates the consideration of numbers taking the form of Mn and M23, 
and to understand why they yield better local decoding algorithms within Efre- 
menko's framework. We note that Mn and M23 are both Mersenne numbers 
and each a product of two primes. This begs the question: do all numbers of 
this form belong to M 2 , and do they intrinsically yield better local decoding 
algorithms in Efremenko's framework? For the remaining of this section, we 
provide an affirmative answer to this question. More precisely, we prove the 
following theorem. 

Theorem 3.5. Let m = 2* — 1 = pq be a Mersenne number, where t, p and q 
are primes. Then m G M 2 . 

The proof of Theorem 3.5 is based on analysis of conditions (3.3) and (3.4), 
and is an easy consequence of Propositions 3.6 and 3.10 below. 

Proposition 3.6. Let m = pq be the product of two distinct odd primes p 
and q. Let t be the multiplicative order of 2 6 I/ m , and let 7 m G be a 
primitive m-th root of unity. Dehne 

(3.7) Z = < — 1 — 2 : z±, Z2 G Fot, ord(zi) = p, and ord(z 2 ) = q 
{ ZiZ 2 + z 2 

If Z is a multiset containing an element of multiplicity greater than one, then 
m G M 2 . 

Proof. Suppose Z contains an element of multiplicity greater than one. 
Then there exist Zi, Z2, z[, z' 2 G F^ t such that the following hold: 

(i) ord(zi) = ord(^) = p, 

(ii) ord(2; 2 ) = ord(z 2 ) = q, 



(iii) (zi,z 2 ) ^ {z[,z' 2 ), 
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/ » \ %i + Z2 z\ + z' 2 

IV 



Z\Z2 + Z2 z 'l z 2 "I" Z 2 

Obviously, we have ord(7^°) = p and ord(7^ )1 ) = q. It follows that there are 
integers U\, V\ G Z p \ {0} and w 2 , ^2 6 Z, \ {0} such that the following hold: 

(v) z! = (7r) ui = 7r io > 

(vi) 2:2 = 7"^, 

(vh) 4 = 7r i0 , 
(vih) 4 = 7 r o1 - 

Since p and g are distinct primes, the Chinese Remainder Theorem implies that 
there are unique numbers u, v e Z m \ {0} such that 

(ix) u = U\ mod p and u = U2 mod g, 

(x) v = v\ mod p and v = V2 mod g. 

Combing the set of conditions (i)-(x), it is easy to verify that the numbers 
u, v G Z m \ {0} satisfy the following conditions 



(xi) z x = 7^°, z 2 = 7 r n , 4 = 7m"\ and z' 2 = 7^, 

(xii) 11^!), 

f •••\ 'm ' hn Im, ~ Im 

7m + 7m 7 m "I" 7m 

The last condition (xiii) implies that the matrix 







1 1 m 


/m 


1 


(3.8) 


r -I 

L u,v 1 


' m 


/ m 


1 






V7m 


1 V 
1 111 


1 



has determinant zero. It follows that rank(r Ujt) ) = 1 or 2. If rank(T Ui „) = 1, 
then the rank of 

/ US 01 : U VSQl I Q N 

Im 1 <m Im ' Im " 
^usio 1 ywio _|_ Q 

/m 1 /m /m 1 Im " 

<v u 1 
/m Im / 

is also 1. Hence, 7^ + 7m = 7m 01 + 7 m = 7m Sl ° + 7 m = 7m 10 + 7m = 0, which 
in turn implies 7m 01 = 7 m S10 and 7m 01 = 7m 10 - Since 7 m is of order m and 
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gcd(m, s i — Sio) = 1, we have m\ gcd(w(s i — s w ),v(s 01 — s w )) and therefore 
m\ gcd(u,v), which contradicts the fact that u, v G Z m \ {0}. Consequently, 
rank(r u „) = 2 and the equation (3.3) has a unique solution (a,b) G F^. 

Next we show that both a and b are nonzero. If a = 0, then 6 = 7^ 01 = 



" m 

(u— v)sio 

7"! 



7" , which implies that u = mod m. If 6 = 0, then a 



7 



(u-v)s 01 



7^~ w , which implies that u = v mod m. Both cases yield contradic- 
tions, since u, v G Z m \ {0} are distinct. 

Let g(X) = X u + aX v + fe G F 2 t[X]. Then g(X) contains three monomials 
since u, v G Z m \ {0} are distinct and a, b G F 2 t \ {0}. Furthermore, we have 

^(7m) = g{lT) = g(lm°) = since ( a > b ) satisfies (3.3). 

As the last step, we claim that g(l) ^ 0, for otherwise the vector (1, 1, 1) 
is necessarily a linear combination of the rows of V U)V , since (1, a, b) ^ (0, 0, 0), 
and thereby 



im 


~,vsoi 
1 m 


1\ 


1 m 


I m 


1 


ryU 

I m 


i m 


1 


\ 1 


1 


V 



has rank two. Applying elementary row operations (adding the third row to 
each of the first three rows) to the above matrix gives 



(3.9) 



l+ 7 £ _ 1+7 
1 + 7 m 1 + 7 



m 



1 + 7 



usoi 
m 



vsio 



1 + 7 



VS01 



(u-u)sio 
fm , 



which in turn 



Condition (xiii) and (3.9) now jointly yield ^m - ^ 01 
implies that u = v. This is a contradiction. 

We have actually shown that g(X) G S and contains exactly three monomi- 
als. By Proposition 3.2, there is an S^-decoding polynomial f{X) G $ which 
also contains exactly three monomials. Hence, m G M 2 . □ 



Proposition 3.10. Let m = 2* — 1 = pq be a Mersenne number, where t, p 
and q are all primes, p ^ q. Then Z (as defined in Proposition 3.6) is a multiset 
containing an element of multiplicity greater than one. 

Proof. Obviously, Z has at most (p— l)(g— 1) distinct elements. Suppose Z 
is a set of cardinality (p— l)(q— 1). For every zi, z 2 G F^ such that ord(zi) = p 
and ord(z 2 ) = q, we have (z\ + &z)/(z\Z2 + zq) — 1 + (1 + z 2 )/ (1 + z^ 1 ). Hence, 



(3.11) S = {(1 + z 2 )/(l + z x ) : z u z 2 G ¥* 2t , ordfo) = p, and ord(z 2 ) = q} 
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is also a set of cardinality (p — l)(q — 1). Let G = and 1 G its identity. 
Consider the group ring Z[G}. We identify the two subsets of G, 

(3.12) A = {1 + z x : z x G ¥* 2t and ord(zi) = p}, 

(3.13) B = {1 + z 2 : z 2 G and oid(z 2 ) = q}, 

with two elements of Z[G]. 
We claim that 

(3.14) SU# 1) UBU{1 G } = G. 

Indeed, since SU UBU{1 G } C G and |5| + l^ 1 ] + \B\ + |{1 G }| = \G\, it 
suffices to show that S, B, and {1 G } are pairwise disjoint. It is obvious 

that 1 G (£ S U UB. If S n ^ 0, then there exist z u z[, z 2 G F* t such 
that (l + z 2 )/(l + -2i) = 1/(1+^0) where ord(zi) = ord(^) = p and ord(^ 2 ) = <?• 
It follows that (1 + 2|)/(1 + Zi) = (1 + + zi)> which contradicts our 

assumption that S* is a set of cardinality (p — l)(g — 1). Similarly, we have 
SHB = A^HB = 0. 
From (3.14) we derive 

(3.15) (A + l G f- l \B+l G ) = G. 

Let 7 P , 7, G G be some primitive p-th and g-th roots of unity, respectively. We 
claim that there exist a permutation a : Z* — > Z* and a mapping 6 : Z* — > Z q 
such that for every i G Z*, 

(3.16) i + T ; = T »« 7 jW 

Let # p , 9 6 C be some complex primitive p-th and q-th roots of unity respec- 
tively, where C is the field of complex numbers. Let \ v be a multiplicative 
character of order p of the group G, such that Xpilp) — &p- The identity 
Xp {{A+l G )^) Xp {B+l G ) = X P (G) = implies that either ^((A+la)^) = 
or Xp(B+1 g ) = 0. If X P (B+1 G ) = 0, then q = x P (B+l G ) = mod (1 - 9 P ) and 
therefore q G (1 -0 P )Z[0 P ]. On the other hand, p = njT^l-flj) G (1 -0 P )Z[0 P ]. 
Since gcd(p, g) = 1, there are rational integers a, (3 such that ap + (3q — 1. It 
follows that 1 G (1 — 0p)Z[0 p ], which contradicts the well-known fact that 
(1 — 8 P )Z[0 P ] is a prime ideal in Z[0 P ] (cf. Washington (1997, Lemma 1.4)). 
Hence, we have x P ((A + 1g) ( ~ 1} ) = and Xp (A + 1 G ) = xJJA + 1g) (_1) ) = 0, 
giving X]f=i Xp(l + 7«) + 1 = 0. Clearly, there is a mapping a : Z* — > Z p such 
that x P (l + 7p) = 0£ (O for all % G Z;. Hence, JX? 0jJ (O + 1=0. Since any 



16 Chee, Feng, Ling, Wang & Zhang 



p — 1 elements of {1, 9 P , . . . , 9% 1 } form an integral basis of Z[# p ] over Z, a must 
be a permutation of Z* Since G = {7^7^ : a G Z p ,/3 G Z g }, there are two 

mappings a : Z* — » Z p and /3 : Z* — > Z q such that 1 + 7* = jpjq for all 
i G Z; . It follows that = Xp {l + li) = Xp(7 P a(i) )x P (7? (i) ) = tiPxpW® ■ 
Obviously, x P (7 g ) p = X P (lq) q = 1 and so x P (lq) = 1- Therefore, = 0p W , 
which implies a = a. We identify /3 with b and obtain (3.16). 

Similarly, there exist a permutation c : Z* — )■ Z* and a mapping d : Z* — >• Z p 
such that, for every j G Z*, 

(3.17) l + ^= 7 ^') 7 ^). 

Let Xm be a multiplicative character of order m of G. Without loss of 
generality, we suppose that Xm{l P ) = 9 P and Xm{l q ) = 9 q . Applying Xm to 
(3.15), we have x fn ((A + l G -)(~ 1 ))x rn (i? + l G ) = Xm{G) = 0, which implies either 
Xm(A + l G ) = or X m(B + l G ) = 0. If Xm (A+l G ) = 0, then = YZZl Xm(l + 
7j) + 1 = E P ~i e^tfP + 1 = ECi e?°(flf - 1). Since {6 P , . . . , ^"^ is an 
integral basis of 7i[9 p: 9 q ] over 1*[6 q ], we have 6 l g ( - i ' ) — 1 = for every i G Z* 

It follows that 1 + 7* = 7p^' ) for every i G Z* Hence, {0, 1, 7p , . . . , 7p -1 } is a 
subfield of F2*. However, the only subfields of F2* are F2 and ¥2*. Hence, either 
p + 1 = 2 or p + 1 = 2*, that is, either p = 1 or q — 1, which is a contradiction. 

Similarly, if Xm(B + 1^) = 0, then we conclude that {0, 1, 7g , . . . , 7g -1 } is a 
subfield of F 2 « , which yields the same contradiction. 

Hence, our assumption that Z is a set of cardinality (p — l)(q — 1) is wrong 
and the proposition is established. □ 

We are now ready to proof Theorem 3.5. 

Proof of Theorem 3.5. To apply Propositions 3.6 and 3.10, we need to 
show that p and q are odd and distinct. Since pq = m = 2* — 1 is odd, it suffices 
to show that p and q are distinct. Suppose p = q, then pq = p 2 = 1 mod 4 and 
pq = m = 2 t — 1 = — 1 mod 4, which is a contradiction. □ 

Theorem 3.5 provides a general method of obtaining new numbers in M2 
and motivates the following definition of a subset of M2: 

M 2j Mersenne = {m:m = 2* — 1= pq, where t, p and q are primes} . 

It is an interesting open problem to determine the cardinality of M^Mersenne- A 
similar but much more well-known problem in number theory is determining 
the number of Mersenne primes. Although it is generally believed that there are 
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infinitely many Mersenne primes, no proof or disproof is known. It seems that 
our question on the cardinality of M 2i Mcrsennc is also difficult to answer. We have, 
however, determined 50 elements of M 2jMe rsenne by computer search. These fifty 
numbers M t = 2* — 1 = pq G M 2jMersenne with their smaller prime divisors p are 
listed in Table 3.2. The first 33 numbers in M 2!Mersenne are M n , M 2 3, . . . , M 809 . 
However, we do not know whether M 881 is the 34th number in M 2 M crsenne or 
not. 

We summarize our results below. 
Proposition 3.18. |M 2iMersennc | > 50. 

It seems reasonable to conjecture that |M 2j Mcrsennc| = oo. 

The set M 2jMe rsenne does enable us to improve query complexity in Efre- 
menko's framework through Itoh and Suzuki's composition method (Theo- 
rem 2.8). However, to apply this method, we have to make sure that the 
elements of M 2j Mersenne are pairwise relatively prime. 

Proposition 3.19. (a) Any two distinct elements in M 2j Mcrsenne are relatively 
prime, (b) Elements in M 2 Mersenne are relatively prime to 511. 

Proof. (a) Let M t = 2* — 1 = pq G M 2)Me rsenne and let ti and t 2 be the 
multiplicative orders of 2 in Z* and Z*, respectively. Then ti\t and t 2 |t, which 
in turn implies t\=t 2 =t since t is prime and t±, t 2 > 1. Suppose there are two 
distinct numbers M t ,M t i G M 2M erscnne such that gcd(M t ,M t i) > 1. Then M t 
and Mf have a common prime factor, say p. It follows that t = t' = ord p (2), 
the multiplicative order of 2 e Z*. Hence, we have M t = M#, which is a 
contradiction. 

(b) Suppose that M t = 2* — 1 G M 2iMerscnne is such that gcd(M t ,511) > I. 
Then either 7\M t or 73\M t . The multiplicative orders of 2 in Z£ and Z£ 3 are 3 
and 9 respectively. Hence, 3\t or 9\t. However, t is prime and greater than 9, 
which yields a contradiction. □ 

The result below follows from Propositions 3.18 and 3.19. 

Corollary 3.20. There are at least 51 elements in M 2 which are pairwise 
relatively prime. 

Although Theorem 3.5 provides a rather general method of finding new ele- 
ments in M 2 (since M 2) Mersenne C M 2 ), it does not provide a way for disproving 
membership in M 2 that is easier than exhaustive search. Itoh & Suzuki (2010) 
showed that 15 ^ M 2 by exhaustive search. The next result shows that it is 
possible to avoid exhaustive search in proving that 15 ^ M 2 . 



771 


T) 
i J 


Til 


y 


Mil 


23 


M 373 


25569151 


M 23 


47 


M 379 


180818808679 


M 37 


223 


Mm 


614002928307599 


Mu 


13367 


M 457 


150327409 


M 59 


179951 


M 487 


4871 


M 67 


193707721 


M 523 


160188778313202118610543685368878688932828701136501444932217468039063 


M 83 


167 


M 727 


176062917118154340379348818723316116707774911664453004727494494365756 
22328171096762265466521858927 


M 97 


11447 


M 809 


4148386731260605647525186547488842396461625774241327567978137 


M 101 


7432339208719 


M 881 


26431 


Mi 03 


2550183799 


M 97i 


23917104973173909566916321016011885041962486321502513 


M109 


745988807 


M 983 


1808226257914551209964473260866417929207023 


M 131 


263 


M 997 


167560816514084819488737767976263150405095191554732902607 


M 137 


32032215596496435569 


Mio6 3 


1485761479 


M 139 


5625767248687 


M 1427 


19054580564725546974193126830978590503 


ilJ 149 


866562685662821 831 51 


Aii 487 


2446475391 838279741 6777 


Mi 67 


2349023 


Mig 37 


81679753 


Mi 97 


7487 


M 2927 


1217183584262023230020873 


M 199 


164504919713 


M 3 o 79 


25324846649810648887383180721 


M 227 


26986333437777017 


M 3259 


21926805872270062496819221124452121 


M 241 


22000409 


M 33 5 9 


6719 


M 269 


13822297 


M 4243 


101833 


M 271 


15242475217 


M 4729 


61944189981415866671112479477273 


M 281 


80929 


M56 89 


919724609777 


M 293 


40122362455616221971122353 


M60 43 


11155520642419038056369903183 


M 347 


14143189112952632419639 


M 733 i 


458072843161 



Table 3.2: Fifty elements in M 2i Merscnnc 
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Proposition 3.21. Let p, q, m, t, 7 m , and Z be as defined in Proposition 3.6. 
Then m G M 2 if and only if there are cyclotomic cosets E a and Ep of 2 modulo 
m (a, /3 G Z m ) such that E a U Ep does not contain any multiples ofp or q and 
nonnegative integers c,d < t such that 



Proof. Suppose m G M 2 . By Proposition 3.1, there is an S^-decoding 
polynomial f(X) G jF with exactly three monomials. By Proposition 3.2, 
there is a g(X) G 9 with exactly three monomials. Without loss of generality, 
let u, v G Z m \ {0} be distinct and a,b G F 2 t \ {0} be such that g(X) = 
X u + aX v + b G ¥ 2 t[X]. It follows that (3.3) and (3.4) hold, and therefore 
det(r Uj „) = 0, which in turn implies the following identity 



Since all cyclotomic cosets of 2 modulo m form a partition of Z m , there exist 
a, /3 G Z m such that u G E a and v G Ep, where E a and Ep are cyclotomic 
cosets of 2 modulo m with representatives a and /3, respectively. 

Suppose that hp G E a for some integer h. Then 5 | h, for otherwise a = 
and therefore u — 0, which is a contradiction. Since u E E a , there is an integer Z 
such that u = 2'/ip mod m. It follows that 7^+7™ 01 = (7m +7m S01 ) 2 ' = since 
hpsoi = hp mod m. By identity (3.24), we have (7^ + 7^ Sl0 )(7m + 7™ 01 ) = 0. 
Since /ipsio 7^ /xp mod m, we have 7^ + 7^ 10 = (7^ + 7^f Sl0 ) 2 7^ 0, which in 
turn implies that 7^ + 7^ 01 = and therefore p\v. Thus, 7^ 10 = 7m hpS10 = 
(^10)2' = 1 anc i 7 «aio = (t£io)«/p = 1. In other words, the second row of r Wi „ 
is (1, 1,1), which implies l + a + 6 = 0by (3.3), contradicting (3.4). Hence, 
E a does not contain any multiples of p. Similarly, E a does not contain any 
multiples of q and Ep does not contain any multiples of p or q. 

For u G E a and v G Ep, there exist nonnegative integers c,d < t such that 
it = 2 c a mod m and v = 2 d j3 mod m. The fact that u 7^ v implies (a, c) 7^ 
(/3, d). Let u = 2 c a and v = 2 d /3 in (3.24). Then (3.23) follows. 

It remains to show that the converse is also true. Let u = 2 c a mod m and 
v = 2 d (3 mod m. Then u,v E Z m are nonzero and distinct. Let Zi = 7^f 10 , 
22 = 7m 01 ! z '\ = 7m 10 ; an d ^2 = 7m 01 - Then it is easy to verify that ord(zi) = 
ord(z[) = p, ord(z 2 ) = ord(z 2 ) = q and (z\, z 2 ) 7^ (z[, z' 2 ). Then (3.23) implies 



(3.22) 



(a,c) 7^ (/3,d), 



(3.23) 




(3.24) 



V Im ' Im J\ Im 1 Im i \ Im ' Im J\ Im ' Im J 



(3.25) 



( Zl + z 2 )j{z x z 2 + z 2 ) = (z[ + z' 2 )/(z[z' 2 + 4). 
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Note that (3.25) shows that Z is a multiset which contains an element of multi- 
plicity greater than one. By Proposition 3.6, we have m G M 2 , which completes 
the proof. □ 

Proposition 3.21 provides a rough characterization of elements in M2. How- 
ever, it turns out to be helpful for proving that some integers are not in M2. 
In particular, we obtain a computer-free proof of the following result of Itoh & 
Suzuki (2010). 

Corollary 3.26. 15 £ M 2 . 

Proof. The multiplicative order of 2 e Z* 15 is t = 4, and S15 = {1,6, 10}. 
Let F 2 4 = F 2 [7]/(7 4 + 7 + 1) and let 7 be a primitive 15-th root of unity. 
The cyclotomic cosets of 2 modulo 15 are E = {0}, E 1 = {1,2,4,8}, E 3 = 
{3,6,9,12}, E 5 = {5,10}, and E 7 = {7,14,13,11}. If 15 e M 2 , then by 
Proposition 3.21, there are cyclotomic cosets E a and Ep such that E a U Ep 
does not contain any multiples of three or five and nonnegative integers c, d < 4 
such that (3.22) and (3.23) hold. It follows that {«,/?} C {1,7}. 

If a = = 1, then ((7 + 7 6 )/(7 + 7 10 )) 2C = «7 + 7 6 )/(7 + 7 10 )) 2d by (3.23), 
that is, 7 3 ' 2C = 7 3 ' 2 . It follows that c = d and therefore (a, c) = (/3,d), which 
is a contradiction. 

If a = = 7, then (( 7 7 + 7 42 )/(7 ? + 7 7 °)) 2C = ((l 7 + 7 42 )/(7 7 + 7 7 °)) 2d by 
(3.23), that is, 7 112C = j lh2d . It follows that c = d and thereby (a, c) = (/?, d), 
which is a contradiction. 

If {a, 0} = {1, 7}, then ((7 + 7 6 )/(7 + 7 10 )) 2C = «7 7 + 7 42 )/(7 7 + 7 70 )) 2 ' 
by (3.23), that is, 7 32C = 7 112d . Since gcd(2 c , 15) = gcd(2 d , 15) = 1, we have 
that ord(7 3 ) = ord(7 n ). However, ord(7 3 ) = 5 7^ 15 = ord(7 n ), which is a 
contradiction. □ 

4. Improved LDCs and PIR Schemes 

In this section, we apply the set M 2) Mersenne to the constructions of LDCs and 
information-theoretic PIR schemes. Consequently, we obtain a new family of 
query-efficient LDCs and a new family of PIR schemes with few servers. Com- 
pared with previous results of Efremenko (2009) and Itoh & Suzuki (2010), the 
new LDCs and PIR schemes do achieve quantitative improvements of efficiency 
which are considerable. 

4.1. Query-Efficient Locally Decodable Codes. By Corollary 3.20, The- 
orem Theorem 2.7, Theorem 2.8 and Table 3.1, we have the following theorem: 
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Theorem 4.1. Let N r = exp(exp(0(^/logn(loglogn) r - 1 ))). Then the fol- 
lowing statements hold: 

(a) For every positive integer r < 103, there is a k-query linear LDC of length 
N r for which 



(b) For every integer r > 104, there is a k-query linear LDC of length N r for 
which k < (3/4) 51 • T. 

(c) If |M 2i Merscnne| = oo, then for every integer r > 1, there is a k-query linear 
LDC of length N r for which k is the same as in (a). 

Proof. (a) Let r G [103] be even. By Corollary 3.20, we can take distinct 
mi, . . . , m r / 2 G M 2 which are pairwise relatively prime. There is a 3-query 
linear LDC of length N 2 based on each of them by the definition of M 2 and 
Theorem 2.7. Applying Theorem 2.8 r/2 — 1 times, we obtain a /c-query 
linear LDC of length N r for which k < 3 r ' 2 , that is, k < ( v / 3) r - 

Let r G [103] be odd. If r = 1, then the Hadamard code is a 2-query linear 
LDC of length Ni = exp(n) satisfying the required condition. If r > 3, 
then r = 2 ■ + 3 and we can take distinct mi, . . . , mr^z G M 2 which 

* 2 

are pairwise relatively prime. Since there are infinitely many primes, we 
can always take another rrtr-i to be a product of three distinct odd primes 
such that mr^i is relatively prime to all of mi, . . . , m-r^z. By Theorem 2.7, 
there are a 3-query linear LDC of length N 2 based on each of mi, . . . , m r -3 

2 

and a A^-query linear LDC of length N% for which k% < 2 3 . Applying 
Theorem 2.8 (r — 3)/2 times gives a /c-query linear LDC of length iV r for 
which k < 3^ -8 = 8- (V3) r - 3 . 

(b) If r > 104, we take distinct mi, . . . , m$i G M 2 and m^ a product of r — 102 
distinct odd primes such that gcd(mi,mj) = 1 for all distinct i,j G [52]. 
By Theorem 2.7, there is a 3-query linear LDC of length N 2 based on each 
of mi, . . . ,m 5 i and a &v_i 02 -query linear LDC of length N r _ W2 based on 
m5 2 . Application of Theorem 2.8 gives a fc-query linear LDC of length N r 
for which k < 3 51 • 2 r ~ 102 = (3/4) 51 • 2 r . 

(c) It suffices to prove the statement for r > 104. If r is even, we take r/2 
distinct elements from M 2j Mersenne and if r is odd, we take (r — 3)/2 distinct 
elements from M 2i Mcrsenne together with m, a product of three distinct odd 




8-(V3) r ~ 3 , if r is odd. 



if r is even 
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primes such that gcd(m,m i ) = 1 for all i G [(r — 3)/2]. In both cases, an 
application of Theorem 2.8 yields the required conclusion. □ 

4.2. Private Information Retrieval Schemes with Fewer Servers. An 

important application of LDCs is in the construction of information-theoretic 
PIR schemes. A PIR scheme allows a user U to retrieve a data item Xj from 
a database x = (x\, . . . , x n ) G {0, l} n while keeping the identity i secret from 
the database operator. Since its introduction by Chor et al. (1998), many 
constructions have been proposed (Ambainis 1997; Beimel et al. 2005, 2002; 
Chor et al. 1998; Efremenko 2009; Itoh 1999; Itoh & Suzuki 2010; Raghavendra 
2007; Woodruff & Yekhanin 2007; Yekhanin 2008). The efficiency of a PIR 
scheme is mainly measured by its communication complexity. In this section, 
we turn our new query-efficient LDCs into PIR schemes that are more efficient 
than those of Efremenko (2009) and Itoh & Suzuki (2010). 

Definition 4.2 (PIR Scheme). A one-round k-server PIR scheme is a triplet 
of algorithms CP = (Q,A, C), where Q is a probabilistic query algorithm, A is 
an answer algorithm, and C is a reconstruction algorithm. At the beginning 
of the scheme, U picks a random string aux, computes a k-tuple of queries 
que = (que-L, . . . , que fc ) = Q(k, n, i, aux) and sends each query que^- to server Sj. 
After receiving que^-, the server Sj replies to U with ansj = A(k,n,j,x, que ). 
At last, U outputs G(k, n, i, aux, ans 1; . . . , ans fc ) such that: 

Correctness: For every integer n, x G {0, 1}", i 6 [n], and aux, 

G(k, n, i, aux, ansi, . . . , ans^) = Xj. 

Privacy: For every i\,%2 G [n], j G [k], and query que, 

Pr[Qj(/c, n, z'i, aux) = que] = Pr[Qj(k, n, aux) = que]. 

The communication complexity of CP, denoted Cy(k,n), is the total number 
of bits exchanged between the user and all servers, maximized over x G {0, 1}™, 
% G [n], and random string aux. We denote by (k, n; Cy(k, n))-PIR a /c-server 
PIR scheme with communication complexity Cj>(k,n). 

Katz & Trevisan (2000) were the first to show generic transformations be- 
tween information-theoretic PIR schemes and LDCs. Subsequently, Trevisan 
(2004) introduced the notion of perfectly smooth decoders: 
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Definition 4.3 (Trevisan 2004). A k-queryLDCC :T, n ^T N is said to have 
a perfectly smooth decoder if it has a local decoding algorithm D satisfying: 

(i) In every invocation, each query of D is uniformly distributed over [N] . 

(ii) For every i£E" and i E [n], Pi[T) c ^ x \i) = Xi] = 1. 

LDCs with perfectly smooth decoders directly give information-theoretic 
PIR schemes. 

Proposition 4.4 (Trevisan 2004). If there is a k-query LDC C : S n ->■ T N 
which has a perfectly smooth decoder, then there is a (k, n; fc(log N + log |r|))- 
PIR scheme. 

The LDCs obtained by Efremenko (2009) and Itoh & Suzuki (2010) both 
have perfectly smooth decoders, and so do the LDCs we construct in Sec- 
tion 4.1. Applying Proposition 4.4 to the Itoh-Suzuki LDCs, one obtains a 
family of positive integers {fc^} r >4 for which k^ < 3 ■ 2 r_2 , such that for every 
r > 4, there is a k^-server PIR scheme whose communication complexity is 
exp(0(^/logn(log logn) 5 " 1 )), where s = log k^ + 2 — log 3. These PIR schemes 
are among the most efficient PIR schemes before this work. Here, we improve 
their results with the following theorem (an easy consequence of Theorem 4.1 
and Proposition 4.4). 

Theorem 4.5. The following statements hold: 

(a) There is a family of positive integers {&^}i<r.<io3 for which k^ < (V3) r 
if r is even, and k^' < 8 • (\^3) r ~ 3 if r is odd, such that for every r e 
[103], there is a k^ -server PIR scheme with communication complexity 
exp(0(^/log n(log log n) 13 " 1 )), where s = 2 log k^ / log3 if r is even, and 
s = (2 log k^' — 6 + 3 log 3)/ log 3 if r is odd. 

(b ) There is a family of positive integers {k^ r ' } r >io4 for which k {r) < (3/4) 51 -2 r , 
such that for every r > 104 there is a k^ -server PIR scheme with com- 
munication complexity exp(0(^/logn(log logn) s_1 )), where s = \ogk^ + 
102 -51 log 3. 

(c) If |M 2j Mersennc| = oo, then there is a family of positive integers {k^} r >\ 
for which k^ < ( v / 3) r if r is even, and k^ < 8 ■ (V3) r ~ 3 ifr is odd, such 
that for every r > 1 there is a k^ -server PIR scheme with communication 
complexity exp(0(-y/logn(log logn) s_1 )), where s = 2 log k^ / log 3 ifr is 
even, and s = (2 log k^ r ' —6 + 3 log 3) / log 3 if r is odd. 
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5. Conclusion 

In this paper, we showed that every Mersenne number which is the product of 
two primes can be used to improve the query complexity by a factor of 3/4 in 
Efremenko's framework for constructing LDCs. Based on the 50 elements in 
M2 i Mersenne we discovered, a new family of query-efficient LDCs of subexponen- 
tial length with better performance than those of Efremenko (2009) and Itoh 
Sz Suzuki (2010) were obtained. Applying our new LDCs to the construction of 
PIR schemes, we obtained a new family of PIR schemes, which are also more 
efficient than those of Efremenko (2009) and Itoh & Suzuki (2010). It is an in- 
teresting open problem to determine whether |M 2j Mersenne| = 00 • Furthermore, 
identifying new elements in M^Mersenne can improve our results and is also of 
interest on its own right. 

Acknowledgements 

The authors are grateful to Oded Goldreich for valuable suggestions that helped 
improve the presentation of the paper. The authors also thank Joachim von 
zur Gathen and the anonymous referee for helpful comments. 

Research of Y. M. Chee, S. Ling, and H. Wang is supported in part by 
the National Research Foundation of Singapore under Research Grant NRF- 
CRP2-2007-03. 

References 

A. Ambainis (1997). Upper bound on the communication complexity of private 
information retrieval. In ICALP '97: Proceedings of the 24th International Collo- 
quium on Automata, Languages and Programming, volume 1256 of Lecture Notes in 
Comput. Sci., 401-407. Springer, Berlin. 

A. Beimel, Y. Ishai & E. Kushilevitz (2005). General constructions for 
information-theoretic private information retrieval. J. Comput. System Sci. 71(2), 
213-247. 

A. Beimel, Y. Ishai, E. Kushilevitz & J.-F. Raymond (2002). Breaking the 

i 

0(n 2k - 1 ) barrier for information-theoretic private information retrieval. In FOCS 
'02: Proceedings of the 43rd Symposium on Foundations of Computer Science, 261- 
270. IEEE Computer Society, Washington, DC, USA. 

B. Chor, O. Goldreich, E. Kushilevitz & M. Sudan (1998). Private informa- 
tion retrieval. J. ACM 45(6), 965-982. 



Query-Efficient Locally Decodable Codes 25 



C. W. Curtis & I. Reiner (2006). Representation Theory of Finite Groups and 
Associative Algebras. AMS Chelsea Publishing, Providence, RI, xiv+689. 

A. Deshpande, R. Jain, T. Kavitha, J. Radhakrishnan & S. V. Lokam (2002). 
Better Lower Bounds for Locally Decodable Codes. In CCC '02: Proceedings of the 
11th IEEE Annual Conference on Computational Complexity, 184. IEEE Computer 
Society, Washington, DC, USA. 

Z. Dvir & A. Shpilka (2005). Locally decodable codes with 2 queries and poly- 
nomial identity testing for depth 3 circuits. In STOC '05: Proceedings of the 37th 
Annual ACM Symposium on Theory of Computing, 592-601. ACM, New York. 

K. Efremenko (2009). 3-query locally decodable codes of subexponential length. In 
STOC '09: Proceedings of the 41st annual ACM symposium on Theory of computing, 
39-44. ACM, New York. 

W. Gas arch (2004). A survey on private information retrieval. Bull. Eur. Assoc. 
Theor. Comput. Sci. EATCS 82, 72-107. 

0. Goldreich, H. Karloff, L. J. Schulman & L. Trevisan (2006). Lower 
bounds for linear locally decodable codes and private information retrieval. Comput. 
Complexity 15(3), 263-296. 

P. Gopalan (2009). A note on Efremenko's locally decodable codes. Electronic 
Colloquium on Computational Complexity (ECCC) TR09-069. 

V. Grolmusz (2000). Superpolynomial size set-systems with restricted intersections 
mod 6 and explicit Ramsey graphs. Combinatorica 20(1), 71-85. 

T. Itoh (1999). Efficient private information retrieval. IEICE Trans. Fund. Elec- 
tronics Comm. E82-A 1, 11-20. 

T. Itoh & Y. Suzuki (2010). New constructions for query-efficient locally decodable 
codes of subexponential length. IEICE Trans. Inform. Syst. E93-D 2, 263-270. 

J. Katz & L. Trevisan (2000). On the efficiency of local decoding procedures for 
error-correcting codes. In STOC '00: Proceedings of the Thirty-Second Annual ACM 
Symposium on Theory of Computing, 80-86 (electronic). ACM, New York. 

K. S. Kedlaya & S. Yekhanin (2008). Locally decodable codes from nice subsets 
of finite fields and prime factors of Mersenne numbers. SI AM J. Comput. 38(5), 
1952-1969. 

1. Kerenidis & R. de Wolf (2004). Exponential lower bound for 2-query locally 
decodable codes via a quantum argument. J. Comput. System Sci. 69(3), 395-420. 



26 Chee, Feng, Ling, Wang & Zhang 



F. J. MacWilliams & N. J. A. Sloane (1977). The Theory of Error- Correcting 
Codes. North-Holland Publishing Co., Amsterdam. 

B. R. McDonald (1974). Finite Rings with Identity. Marcel Dekker Inc., New 
York, ix+429. Pure and Applied Mathematics, Vol. 28. 

K. Obata (2002). Optimal lower bounds for 2-query locally decodable linear codes. 
In Randomization and Approximation Techniques in Computer Science, volume 2483 
of Lecture Notes in Comput. Sci., 39-50. Springer, Berlin. 

P. Raghavendra (2007). A note on Yekhanin's locally decodable codes. Electronic 
Colloquium on Computational Complexity (ECCC) TR07-016. 

D. Shiowattana & S. V. Lokam (2006). An optimal lower bound for 2-query 
locally decodable linear codes. Inform. Process. Lett. 97(6), 244-250. 

L. Trevisan (2004). Some applications of coding theory in computational complex- 
ity. In Complexity of Computations and Proofs, volume 13 of Quad. Mat., 347-424. 
Dept. Math., Seconda Univ. Napoli, Caserta. 

L. C. Washington (1997). Introduction to cyclotomic fields, volume 83 of Graduate 
Texts in Mathematics. Springer-Verlag, New York, 2nd edition, xiv+487. 

S. Wehner & R. de Wolf (2005). Improved lower bounds for locally decodable 
codes and private information retrieval. In ICALP '05: Proceedings of the 32nd 
International Colloquium on Automata, Languages and Programming, volume 3580 
of Lecture Notes in Comput. Sci., 1424-1436. Springer, Berlin. 

D. Woodruff & S. Yekhanin (2007). A geometric approach to information- 
theoretic private information retrieval. SIAM J. Comput. 37(4), 1046-1056. 

D. P. Woodruff (2007). New lower bounds for general locally decodable codes. 
Electronic Colloquium on Computational Complexity (ECCC) TR07-006. 

S. Yekhanin (2008). Towards 3-query locally decodable codes of subexponential 
length. J. ACM 55(1), 1-16. 



Manuscript received 8 February 2010 



Query-Efficient Locally Decodable Codes 27 



Yeow Meng Chee 

Division of Mathematical Sciences 

School of Physical & Mathematical 

Sciences 

Nanyang Technological University 
Singapore 637371 
ymchee@ntu . edu . sg 



Tao Feng 

Department of Mathematical Sciences 
University of Delaware 
Newark, DE 19716, USA 
f eng@math . udel . edu 



San Ling 

Division of Mathematical Sciences 
School of Physical & Mathematical 
Sciences 

Nanyang Technological University 
Singapore 637371 
lingsan@ntu . edu . sg 



Huaxiong Wang 

Division of Mathematical Sciences 

School of Physical & Mathematical 

Sciences 

Nanyang Technological University 
Singapore 637371 
hxwangOntu . edu . sg 



Liang Feng Zhang 

Division of Mathematical Sciences 

School of Physical & Mathematical 

Sciences 

Nanyang Technological University 

Singapore 637371 

liangf . zhang@gmail . com 



